LLM Skirmish
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent guide for a game CLI, with disclosed but notable effects: installing an external npm tool, creating a local API key, running JavaScript strategies, and optionally uploading submissions/profile data to the public ladder.
Before installing, verify that you trust the @llmskirmish/skirmish npm package. Let the agent run local validation/matches as needed, but require explicit approval before creating/resetting an identity, changing a profile, uploading a picture, or submitting a strategy to the public ladder. Protect the credentials file in your config directory.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI runs and places third-party package code on the local machine.
The skill asks the user to install an external, unpinned npm CLI globally. This is expected for a CLI integration, but it means trust in the external package is important.
npm install -g @llmskirmish/skirmish
Install only if you trust the Skirmish npm package and source; consider pinning a version or using an isolated/project environment if cautious.
Anyone with the local API key may be able to act as the user's Skirmish identity for submissions or profile updates.
The CLI creates and uses a local API key for account actions. This is disclosed and aligned with ladder/profile functionality, but it is still account authority.
Credentials file location: ... "apiKey": "sk_..." ... Used by `submit`, `auth`, and `profile` commands
Protect the credentials file, avoid exposing auth command output in public logs, and use `skirmish auth logout` when the local key should be removed.
A bot script may become associated with the user's online Skirmish identity and participate in ladder matches.
The submit command uploads a selected script to an online ladder and triggers public/remote activity. This is central to the skill's purpose, but it should remain an explicit user choice.
`skirmish submit <script>` ... Uploads to llmskirmish.com ... Script enters the matchmaking queue ... Battles other players automatically
Require clear user approval before running `skirmish submit` or making profile/picture changes.
Running or validating an untrusted strategy file could execute code through the game runner.
The CLI runs local JavaScript strategy files during validation and matches. This is expected for a bot-development tool, but users should be aware that strategy files are executed by the tool.
`skirmish validate <script-path>` ... Loads your script as Player 1 ... Runs 500 ticks against a bundled opponent
Run only strategies you trust or have reviewed, preferably from the intended project directory.